Microsoft November Patches: No turkeys served up this month

Microsoft November Patches: No turkeys served up this month

After a hectic month on high alert against Krack and Bad Rabbit, the desktop management team at Options welcomed a less taxing Patch Tuesday this month. Microsoft released 53 updates this month with the usual suspects, namely browsers and Office applications, taking most of the heat. What really shocked us was the 60+ updates released by Adobe. While nothing of particular alarm in the updates, the sharp spike from zero last month, and only 8 the month before, has us wondering if Adobe has something lurking that we should be worried about.

What caught our eye?
Although not known to be exploited in the wild (yet), the below publicly known vulnerabilities should be top of the list to patch this month. With lots of updates directly referencing techniques used to spread unwanted software, we’re sensing there is a strong malware reference. Is Microsoft aware of the next malware threat? Maybe. Let’s not wait to find out…

CVE-2017-11877 | Microsoft Excel Security Feature Bypass Vulnerability
This is a previously undisclosed vulnerability that may allow specially crafted Excel worksheets to bypass the usual macro auto-execution restrictions. Although not known to be exploited, there is no doubt that this will be top of the list for hackers.

Macros have been used all too often by hackers to spread malware, usually taking full advantage of the human curiosity with files like “corporate_salaries_all.xlsm”. We recommend doing regular phishing training exercises with users to continue to educate, identify the anatomy of suspicious content and penalize where necessary for those who repeatedly fail internal phishing tests. At Options we append the subject line of most emails containing XLSM files with a Dangerous Attachment message to encourage caution.

Microsoft has tagged this vulnerability as “exploitation less likely”, but we think this may warrant a “challenge accepted” response from the underground hackers.

CVE-2017-11827 | Microsoft Browser Memory Corruption Vulnerability

According to Microsoft, “a remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user.”

As with other vulnerabilities we’ve seen this year, an attacker who successfully exploits the vulnerability could gain the same user rights as the current user. This is where we hammer home the importance of reviewing and reducing user rights on corporate PCs. If the current user is logged on with admin rights, the attacker can do significantly more damage by installing software, making changes to files and more.

How would it spread? Microsoft suggests that an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites by adding content that could exploit the vulnerability.

In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via a tempting email or instant message, or by getting them to open an email attachment. Again, another reminder that your internal users should be savvy to phishing techniques.

A final word of caution: most browsers require at least one security update this month, so don’t think you are safe just because you don’t use IE or Edge!

ADV170020 | Microsoft Office Defense in Depth Update
Microsoft hasn’t provided very much information about this update other than saying “an update for Microsoft Office that provides enhanced security as a defense-in-depth measure”.

We suspect the background to this issue is likely related to the recent outpouring of malware abusing the Dynamic Data Exchange (DDE) protocol. DDE provides data exchanges between Office and other Windows applications, however hackers can leverage DDE fields to create documents that load malicious resources from an external server. Microsoft claims attackers may be abusing the feature, but it’s not exactly a vulnerability. Hopefully, the update provided by this advisory restricts the abuse of this “feature” in some manner.
If you’re concerned about attacks abusing DDE features, check out this page that shows how to disable the feature in the registry.

Conclusion
A relatively moderate month, both in volume and criticality. As we learned from Microsoft’s silent patching of the KRACK vulnerability though, we really never know what is around the corner. If you haven’t already patched against KRACK, the updates are cumulative so get on the ball in applying November’s updates! Until next time…